BBC data breach affects 25,000 current and former employees

Second attack on pension scheme in less than a year

The BBC has begun an investigation after the details of more than 25,000 current and former employees were exposed in a data breach.

Members of the BBC pension scheme – one of the largest in the country – received an email, which Computing has seen, stating that some pension scheme records had been copied from a cloud data storage service.

In addition to names and dates of birth, the compromised data also includes home addresses and national insurance numbers.

A spokesman for the £695m pension scheme, which has 50,000 members, said no bank details, email addresses, usernames or passwords had been compromised.

There is so evidence, currently, that this was a ransomware attack. Pension scheme members have not been told to take any specific action, but have been urged to remain "vigilant for any activity that seems unusual."

This includes being cautious about any unsolicited or unexpected letters, telephone calls, texts or emails, as well as information referring them to a web page.

A BBC pension scheme spokesman said: "The BBC's information security team has alerted us to a data security incident, in which some BBC pension scheme records have been copied from an online data storage service.

"We sincerely apologise to members affected by this and appreciate this will be concerning. We want to reassure members that the BBC has responded quickly and that the source of the incident has been secured."

In addition to the BBC launching an investigation into the incident, the Information Commissioner's Office (ICO) and Pensions Regulator have also been informed.

The breach is the second within a year. Last year rather members of the BBC's pension scheme had their personal data compromised in the MOVEit cyberattack.

British Airways, Boots and Ofcom were also victims of the Russian group Clop. Whilst a tiny amount of data as released onto the dark web following the first attack, the group never made good on its threat of a large-scale publication of stolen data.

Some comments from a private Facebook group for BBC pension scheme members which Computing has also seen suggest a degree of anger that the same details have been compromised again. Members also questioned the wisdom of putting confidential data into cloud storage.

The nature of this attack has also drawn comment from data privacy experts, including Lauren Wills-Dixon from law firm Gordons who said:

"Whilst this breach appears to have been through a third-party cloud storage provider, the BBC - and any ‘data controller' under data protection laws - remains primarily responsible for the security measures it adopts and external providers it engages to store and protect its personal data.

"Government figures show that cyber incidents of this kind are becoming more common and it's another timely reminder to any organisation engaging third parties for solutions like HR or payroll IT systems, to ensure that such third parties have robust security measures in place to protect personal and special category or sensitive personal data."